“Defense in Depth”: Why a Layered Approach Is Needed to Secure Data
Published On October 16, 2020
Article by Kate Gamble, healthsystemCIO.com
As healthcare organizations grapple with the myriad challenges stemming from the COVID-19 pandemic, the one thing that has remained a constant is change. From how IT teams collaborate to how care is delivered, the landscape has evolved dramatically - and that means the security strategy must do the same to keep pace. Whereas in years past, lost or stolen laptops and USB drives were the key concern, now CISOs are dealing with a more nefarious foe.
“For the first time in our history, the highest-ranking, most prominent breaches in healthcare are happening from active hacker attacks,” said Brian Selfridge, Partner and Director of IT Risk Management with Meditology Services.
As the remote workforce assumes a larger presence and footprint, it means more devices need to be protected, and more opportunities for bad actors.
“Our data is everywhere; we’re not confined to a single data center, a single repository, or a single network that we can lock down and feel secure. We’ve got sensitive data all over the place,” Selfridge said. The challenge now is figuring out how to follow it and protect it - not an easy feat given the fact that the traditional perimeter has been shattered.
During a recent webinar, Selfridge spoke with Randy Nale (Director, Modern Workplace, Microsoft) and Wes Wright (CTO, Imprivata) on how the environment has changed, and what leaders can do to safeguard data.
Identity is the new…
The difficult part is that most healthcare entities manage hundreds of third-party applications, and the data reside on an array of devices and locations, including smartphones, tablets, and traditional EHR systems. What that means, according to Selfridge, is that it’s not as simple as merely securing a vault. “The idea that we can post guards and monitors around the network is no longer a viable concept in protecting sensitive information.”
It’s precisely why security experts have said that identity is the new perimeter.
Wright, however, went a step further, explaining that identity is actually the new control plane. “It’s through digital identity that you can control access to applications and data sets, even network resources.”
This type of control wasn’t necessarily warranted in the past. That, of course, changed with the proliferation of devices like the iPad that required physicians and nurses to access applications that existed outside of the perimeter. “We really did it to ourselves. We poked so many outgoing holes in the perimeter that we made the perimeter less of barrier and more a sea.”
The control plan, however, isn’t a substitute for the tried-and-true techniques of firewalls and segmentation, but rather, another layer in what should be a multifaceted strategy, said Nale, referring to the concept of defense in depth. This model involves layering on defenses or controls so that in the event of a breach, everything isn’t lost. “Identity has become one of the most outer bound layers of that defense, while also permeating all of those layers.”
Trust, but verify
At Microsoft, one of controls used are intelligence security graphs, where data from control points are gathered to help make decisions about what data should be accessed, and by whom. Another is conditional access, which provides multiple checkpoints to validate, and re-validate, the identity of users as they attempt to access different applications.
“It’s just an extension of that defense in depth concept to accommodate the fact that we’re all working from our homes,” said Nale.
And while some organizations were far along in their digital transformation journey - and were prepared to manage the surge in telecommuters - many were not prepared to do multifactor authentication or remote access from home, according to Wright. “That’s one of the most important things, in my opinion, that you should be doing. If your remote workforce doesn’t have to do some type of secondary authentication to get to network resources, I feel bad for you.”
In these cases, he advised leaders to head Ronald Reagan’s famous advice: trust but verify. “It’s saying, yes, I trust that your username and password are legitimate and that you are who you say you are. But because you’re not here in the office anymore, we need to verify,” he said. “It’s more important than ever because you have more vulnerability than you ever had.”
Adding more complexity was the fact that nurses and other personnel were being moved to other areas to ensure coverage, which meant access management had to be granted. The problem, said Wright, is that in many cases, “no one kept track of the entitlements that were given out,” and as a result, no one took them away. And so CIOs, CTOs and CISOs were forced to deal with “a huge pot of spaghetti that needed to be untangled.” One move that could’ve alleviated that plan is implementing an identity access management system, he noted.
A “wildly complex” ecosystem
Before any steps can be taken, leaders need to assess their organization’s level of digital maturity, said Selfridge. “Our technology ecosystem in healthcare is just wildly complex compared to almost any other vertical. And so we struggle to understand what systems and what access controls we have in place sprawled across that entire portfolio,” whether it’s in-house or cloud-hosted solutions.
Most fall into one of three categories:
- Less mature (typically small to midsized organizations that rely on third-party vendors for role-based access)
- Somewhat mature (organizations that have invested in multifactor authentication for remote access and may have started to implement role-based access)
- More mature (typically larger and better funded health systems and payers that have “the bells and whistles to do this right”)
The key, he noted, is in understanding what grouping your organizations falls into, and where you are on the curve. The goal is to reach the third category so that you can “start to take advantage of the great tool sets and capabilities that are out there in the market right now,” such as identity access management and provisioning, positive patient identification, and identity governance, among others. “They’re becoming more economically viable and affordable. That’s a key game-changer.”
One factor making that possible is Microsoft’s partnership with Imprivata, said Nale. “It takes what we do as a platform and extends that to healthcare-specific applications by implementing governance and trying to get to, maybe, not a single vendor, but a universal or a unified identity.” In doing so, the two organizations can help create a unified identity for employees, contractors, patients, and external providers, and meet what has become a significant need across the industry.
And, perhaps more importantly, they provide expertise that can prove to be a difference maker, according to Wright, who highly recommended selecting a suite of tools specifically designed for healthcare. “We’ve been doing healthcare for a long time. We have tons of practicing clinicians on our staff that, at least once a week, go out and practice in clinics. They know what works and what doesn’t.”
To view the archive of this webinar: Identity Governance as the Key to Future-Proofing Your Security Posture, please click here.